A pass-set is a form of secret authentication data that is used to control access to a resource, thereby providing security. Each time a user wishes to use the resource the user is asked to enter the pass-set. If the entered pass-set is valid, the user is permitted to access the resource, otherwise access is denied.
Pass-set entry requirements are used in a variety of applications. For example, a typical computer user if required to enter pass-sets for a wide variety of purposes, such as logging in to a computer account, retrieving e-mail from servers, accessing certain files, databases, networks, web sites, etc. In banking applications, a bank account holder is required to enter a personal identification number (PIN), in order to access an automated teller machine (ATM) to conduct a banking transaction.
Pass-sets generally contain a string of data including numerical digits, upper/lower case alphabetical characters, and other typeable symbols. Preferably, from a security perspective, the string of data for any given pass-set contains as random a sequence of digits, characters and symbols as possible. While random like sequences are more secure, they are often difficult for users to remember, and users often change the pass-set to something that is easier to remember, for example, the name or other descriptive characteristic of a family member (e.g., a birth date). Unfortunate consequences of simplifying the pass-set, however, are that the pass-set becomes more susceptible to being cracked by a hacker, and the security of the resource becomes compromised.
A pass-set should be kept secret by those who are entitled to access the resource so that secure access of the resource can be maintained. This is easy while users are not accessing the resource. However, the users must reveal the pass-set, to some degree, when requesting access to a resource. While revealing the pass-set may only be for a brief moment in time, it does, nevertheless, render the pass-set vulnerable to being stolen. One of the typical methods to enter the pass-set before accessing the resource is to type in the pass-set from a device such as a keyboard, a number pad, push buttons on a telephone, or the like. Another method is to enter the pass-set verbally into a system that recognizes human voices. A problem with both of these approaches is that an eavesdropper may steal the pass-set by watching or listening to the pass-set being entered. The stolen password then allows the resource to be accessed illegitimately. These problems are compounded by the availability of state-of-the-art keystroke recording and voice recording virus software on computers, since they provide perpetrators the means to pick up the pass-set even if a user is very careful when entering the pass-set. For example, typing in with a shield covering the keyboard or speaking with a low voice would not be a defense against such virus software.
Entering a pass-set is one factor of authentication (something you know). Another factor (something you are) includes using biometrics such as fingerprints, retinal scanning, facial recognition, hand geometry of a user. While these authentication approaches do provide some degree of security, they also have limitations. For example, using biometrics to match the identity of a user against a pre-stored database can be unreliable. False acceptance and false rejection have been topics debated in the field of biometrics. Biometric properties may also be falsified, for example, a perpetrator may create a false identification by lifting a fingerprint from a glass held by a legitimate user to access the resource illegitimately.
It would be desirable, therefore, to have systems and methods that allow users to securely enter pass-sets for accessing resources without the risk of revealing the pass-sets to others.